CVE-2024-12708: 
WordPress vulnerability analysis and mitigation

The Bulk Me Now! WordPress plugin through version 2.0 contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2024-12708. The vulnerability was discovered and publicly disclosed on January 9, 2025. The issue affects users with contributor role and above who can exploit unvalidated and unescaped shortcode attributes (WPScan).

The vulnerability stems from the plugin's failure to properly validate and escape shortcode attributes before outputting them back in pages or posts where the shortcode is embedded. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

When exploited, this vulnerability allows authenticated users with contributor privileges or higher to perform Stored Cross-Site Scripting attacks. This could potentially lead to the execution of malicious JavaScript code in users' browsers when they view affected pages (WPScan).

Currently, there is no known fix available for this vulnerability. Users of the Bulk Me Now! WordPress plugin should consider either removing the plugin or implementing additional security controls to restrict access to users who can create and edit posts (WPScan).